RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

When an RSA Authentication Manager administrator attempts to add or manage a user — for example, when assigning a token — the Security Console displays one of the following errors: 

The specified ID is already in use by an unresolvable user within this realm

Principal with userid already exists in the realm: <username>

Cannot add or manage a user with user ID <UserID>. User IDs must be unique within a deployment. This user ID is already in use.

Account is locked out of emergency authentication
This is a read only external LDAP identity source

These errors occur when a user record in RSA Authentication Manager cannot be uniquely resolved across one or more identity sources. There are two common root causes:

• Duplicate user entries — The same user ID exists in multiple identity sources, causing a conflict during management operations.
• Unresolvable LDAP user — A user was removed from the external directory or moved to an organizational unit (OU) that is out of scope of the identity source, leaving an orphaned record in the Authentication Manager database.

CAUTION: Before proceeding, take a full database backup following the below article.

Create a Backup Using Back Up Now

Identify which scenario below matches your error and follow the corresponding steps.

Scenario 1: Duplicate User Entries Across Identity Sources

1. Log in to the Security Console.
2. Navigate to Identity > Users > Manage Existing.
3. Under Search Criteria, click Search for users across all identity sources.
4. Enter the affected user ID and run the search.
5. If multiple results appear for the same user ID, delete all duplicate entries — keeping only the correct user record.
6. Verify: Attempt to manage the user again. Confirm no error is displayed.

Scenario 2: Unresolvable User in LDAP

1. Log in to the Security Console.
2. Navigate to Reporting > Reports > Add New > Users and Groups No Longer in Identity Source.
3. Select the correct external identity source and generate the report.
4. Review the report to confirm the affected user is listed.
5. Navigate to Setup > Identity Sources > Clean Up Unresolvable Users.
6. Select the identity source to clean.
7. For the Grace Period, choose one of the following:
   • To clean up users unresolvable for more than a set number of days — select the checkbox and specify the number of days.
   • To clean up users immediately — clear the checkbox.
8. Click Next.
9. Select Force system to delete all users and groups from the internal database that no longer exist in the external identity source and click Next.
10. Verify: Re-run the report to confirm the unresolvable user no longer appears.

NOTE: If the cleanup does not remove the user, proceed to the LDAP filter steps below.

If cleanup does not resolve the issue — Modify the LDAP Identity Source Filter:

1. Open the Operations Console and navigate to Deployment Configuration > Identity Sources > Manage Existing.
2. From the dropdown next to the affected identity source, select Edit.
3. Click the Map tab.
4. Scroll to the Directory Configuration - Users section.
5. Update the default search filter to temporarily exclude the affected user. Change from:
   

   (&(objectClass=User)(objectcategory=person))

   To:
   

   (&(objectClass=User)(objectcategory=person)(!(samAccountName=<username>)))

   Replace <username> with the affected user's account name.

6. Re-run the Clean Up Unresolvable Users steps from Scenario 2 above to remove the user entry.
7. Once cleanup is complete, revert the search filter back to:
   

   (&(objectClass=User)(objectcategory=person))

8. Verify: Confirm the user no longer appears in the unresolvable users report and that no error is displayed when managing other users.